Core Mac management policies every admin must know
Apple provides a dizzying range of policy options for Mac management, but a specific set of 13 policies is the most commonly used -- and is the most critical for managing and securing Macs in an enterprise environment. Each of the following core management policies apply to either Macs or users, unless otherwise specified:
- Network: For configuring network settings, including Wi-Fi configuration and some Ethernet connection details.
- Certificate: For deploying digital certificates used in encrypted communication within an organization as well as some identity credentials for specific services (many network services rely on certificates for secure communication and authentication).
- SCEP: To define settings for acquiring and/or renewing certificates from a CA (Certificate Authority) using SCEP (Simple Certificate Enrollment Protocol). SCEP provides an automated option that allows devices to acquire/renew certificates. It is used as part of Apple's MDM enrollment process for iOS devices and can be used for enrollment of Macs into a managed environment as well. SCEP configuration will vary depending on the CA and related management tools in operation.
- Active Directory Certificate: To provide authentication information for Active Directory Certificate servers. This policy can only be set for user accounts.
- Directory: For configuring membership directory services, including Active Directory and Apple's Open Directory. Multiple directory systems can be configured. This policy can only be set for Macs.
- Exchange: For configuring access to a user's Exchange account in Apple's native Mail, Contacts, and Calendar apps. (It does not configure Microsoft Outlook.) This can be set only for user accounts.
- VPN: For configuring the Mac's built-in VPN client. Several variables can be configured. If in operation, users will not be able to modify the VPN configuration.
- Security & Privacy: For configuring several of OS X's built-in security features, including the GateKeeper app reputation and security tool, FileVault encryption (can be set for Macs only, not users), and whether diagnostic data can be sent to Apple.
- Mobility: To set whether or not mobile account creation is supported, as well as related variables (see the first article in this series for information about mobile accounts).
- Restrictions: For restricting access to a range of OS X features, such as Game Center, App Store, the ability to launch specific apps, access to external media, use of the built-in camera, access to iCloud, Spotlight search suggestions, AirDrop sharing, and access to various services in the OS X share menu.
- Login Window: For configuring the OS X login window, including any login window messages (referred to as banners); whether or not a user may restart or shut down a Mac without logging in; and whether or not additional information about the Mac can be accessed from the login Window.
- Printing: To preconfigure access to printers and to specify an optional footer for all printed pages.
- Proxies: For specifying proxy servers.
Sign up for Computerworld eNewsletters.